Georgians wait in line to cast their votes in the 2018 US midterm elections in Snellville, Georgia.
Photograph: Leah Millis/Reuters

Private companies had near-complete control over Georgia’s elections for the 2018 midterms and posed a serious security risk, according to testimony and documents revealed during a federal court case challenging the constitutionality of Georgia’s elections.

The state does not have any means of ensuring the necessary security protocols of the vendor

Voting machine company Elections Systems and Software (ES&S), which has close connections with the Georgia secretary of state’s office and Governor Brian Kemp’s staff, had three staff in Georgia building electronic ballots out of their homes through the 2018 midterms.

This introduced significant security concerns about both foreign actors attacking the election system with malware or about a “political insider” potentially introducing their own coding that could alter the results of an election without detection, according to the plaintiffs.

“It’s a shock to everyone that the vendor is actually building ballots for state elections,” said David Cross, lead attorney for one of the two groups suing the state. “That should not be happening. That should be at the state level, because the state does not have any means of ensuring the necessary security protocols of the vendor.”

PCC Technologies, which offers voter registration management, hosted Georgia’s online voter registration system on its own servers and was responsible for running the My Voter Page, which gave registered voters important information about their ballots and polling places. In court, it was revealed that PCC was a major security concern for the secretary of state’s office, and that the state was unable to audit the registration system because they were not contractually allowed to access PCC’s servers.

The contract for server hosting ended on 30 June, and the secretary of state’s office – which runs elections in Georgia – is in the process of moving the voter registration system back to its own servers, according to documents produced by the state and the testimony of the secretary of state’s chief information officer, Merritt Beaver.

But the state is continuing its contract with PCC to manage the voter registration system and the My Voter Page.

Voters wait in line in Atlanta, Georgia, on 6 November 2018. Photograph: Leah Millis/Reuters

“It’s the selling of a public election,” said Marilyn Marks, executive director of the Coalition for Good Governance and another plaintiff in the case. “The [election vendor] decides whether or not to mess with the election … Interestingly enough, [Georgia] wrote them a check to do it. I’m not saying they exercised that option, but the state gave them that option.”

The series of revelations on the state’s relationships with ES&S and PCC also exposed mischaracterizations made by Beaver and the secretary of state’s legal team.

The election system that Georgia currently uses has a component called the Gems database. That database holds information used to build the electronic ballots that voters use to cast votes in precincts across Georgia, and is responsible for bringing up the correct ballot to the correct voter.

Beaver told the court that the structure of Georgia’s Gems database was unique and confidential as part of the security procedures for the secretary of state’s office. If the structure of the database was not known to outside parties, then outside parties would find it more difficult to manipulate the election.

The catch, according to Cross, is that ES&S employees were designing ballots from their home offices, in conditions “completely outside the controls the state says they have in place to keep this from happening”.

“You’re taking what the state has said is the roadmap to hack an election and they’re just letting it sit on people’s home computers with no evidence of any kind of security,” Cross said. “I mean, it’s truly insane. I cannot overstate how crazy that is.”

The plaintiffs spent a year, tens of thousands of dollars on litigation and were required to create secure facilities in order to review those same databases, only to find that they were neither unique nor confidential. The database’s structure was identical to Gems databases from around the country that have been public record for up to 17 years.

Beaver was also shown to have provided misleading information to the court when he told the judge that penetration testing – where a cybersecurity firm attempts to gain access to test the network’s security – ensured that the secretary of state’s computer systems were secure.

Beaver failed to mention to the judge that the testing failed, and the cybersecurity firm was able to take over the entire network, which was only revealed when the state was forced to provide those security reports.

A second round of testing in November 2018 showed some improvement, though many of the vulnerabilities identified a year before had not been fixed.

Georgia announced on Monday it is buying an entirely new voting system from Dominion Voting Systems for nearly $107m, set to be rolled out by next year’s presidential primaries. It is unclear how that announcement will affect the outcome of this case, which centers on the constitutionality of the voting system currently in place in Georgia.

The case, Curling v Raffensperger, is “the most important federal constitutional litigation concerning the baseline requirements for voting systems in order to assure honest elections,” according to Candice Hoke, an elections technology and law expert.

Judge Amy Totenberg is set to issue her ruling in the next week, though an exact date is not known. That ruling is likely to have national impact, even as its specific requirements will only apply to Georgia.

“The remedy will be Georgia specific, but how she interprets the federal constitution and the protections for voting rights – that is a set of principles that will be out there to be evaluated and reflected on by courts and the public for years,” Hoke said.

Georgia’s secretary of state’s office did not respond in time for publication.